SIM card carrying traffic lights

Apparently some of the traffic lights in Johannesburg, South Africa have SIM cards in them to help maintain the network without a physical connection. Now that’s some and not all, but apparently thieves have learned that the SIMs can be used in cell phones to make anonymous and unlimited calls. Officials are convinced that the thieves have inside information because they only crack open the lights that DO contain a card.

We’re white hats here at Hackaday and certainly don’t want to give out information that aids criminals. But since this is already a huge problem we have an idea of how thieves might be identifying which lights to rob. Sure, they probably do have inside information, but wouldn’t it be fairly simple to track down which lights use cellular communication by using a home made spectrum analyzer? We guess it would depend on how often the lights send out communications bursts. Does anyone have insight on this? Leave you thoughts in the comments.

From what I was reading last week about this, I think the SIM cards are only used to send data as to whether the light has faults or not. Presumably this is only then once a day or something, perhaps only when the light has a fault.

SIM cards can be provisioned with voice, data, or SMS service. There’s no reason for SIMs in these devices to have anything other than minimal data or SMS plans. Seems this problem could easily be resolved by the cellular provider.

The traffic signal controllers don’t contain the SIM cards directly, instead they connect via RS-232 to some form of GSM/CDMA-enabled Serial-over-IP device (One such product is the Metretek Invisconnect). These are used to talk to remote serial device all over the place, including vending machines (newer Coke machines can phone in problems/stock), electronic message boards on the highways, and traffic controllers. In these cases, the devices
are usually dial-on-demand, or in rare cases, set to phone in once every few hours.

Outside of RS-232 adapters, MANY devices use embedded cellular modems, including modern alarm systems, RedBox movie rentals, and arcade machines (Golden Tee, or anything with national leaderboards).

Embedded cellular devices are far from uncommon, which really makes it look like an inside job, since they are only targeting traffic cabinets.

even without sending or recieving data if the device is in contact with the cell I think it will transmit every so often, a cheap radio with antenna held near would work although camping out under a light with an antenna would be suspicious.

According to this article http://bit.ly/fAnzKY , it seems that both look the same, so antenna could be a printed circuit or a wire hidden inside the box just like the ones we have in our phones. Also the article takes about traffic jams cause after the system failed so they could of been used for more that just reporting failures and they will need to communicate information more frequently. So a spectrum analyzer with some patience will work but an inside information is way easier knowing that some of them got stolen again after they were fixed!

So identifying the right lights is easy, just check the outside of the cabinets. Black cap on it? Most likely GSM enabled.

I work in this field, so I kinda know what I’m talking about. The stupid part is in the SIMs, it’s we only use SIMs that cannot be used for calling. And are locked down to a different network. If you steal them they are useless.
Also, our traffic lights trigger silent alarms when you open them.

@fartface Uhm… cellphones these days carry their antennas inside. I’d say that an external antenna would just increase the cost of the solution (well it’s the government, you never know).

What I think is that they should stick them with epoxy or some type of glue, such that trying to pull them out render them useless.

Now, if they use the SIMs to report fails with the regular phone lines, I also assume they can also implement a mechanism to report through the phone line about cellular failure. I’d also say to use cameras, but they would probably vandalize them or steal the hardware too.

Im from South Africa, and I can honestly say that its definitely not a hack , there just not clever enough to do that sort of thing, most likely its a syndicate that got the information from the people who install these lights, that’s normally what happens here, info gets leaked they get paid a bribe, simple as that,nothing special.

The real question should be …why are they using sim cards that will allow UNLIMITED and ANONYMOUS calls? The use of the cellular tech I have no issues with..but not having security protocols in place is dangerous in any case.

1. make the sim cards limited. Reduces value to crooks. if these are just for reporting fault conditions a very limited number(10-20 per month?) of SMS texts should do the trick. NO phone minutes.
2. make the sim cards traceable in some manner. Not that familiar with the tech, but there has to be some way….
3. harden the TRANSMITTER CASING to make it harder for crooks to steal said sim cards….not a perfect solution as someone will get a hold of the proper tools or find a way to circumvent it eventually. Adds cost(or does it prevent cost…hmmm)., but physical solutions are often the best.
4. create a system to send an alert in case of tampering. A few false positives may happen, but thats life.

Nothing earth shattering, just simple common sense steps. Don’t depend on any one as a magic bullet. Use them all to reinforce each other.

Pretty bone-headed of them to not only allow communications in the way that this method requires. If it sends status information via SMS to a certain number, the account should be locked to only sending SMS’s to a specific number.

If they stick the traffic light controllers in the big all metal NEMA boxes like they do in my area, then they most certainly would have an external antenna. It may just be that the officials are too boneheaded to notice the difference between a cellular unit and a non-cellular.

I’ll expand on FaSMaB’s post to say that in SA, while there’s the local expertise to go the technical route, the pervasive poverty encourages the social engineering approach. The economics of poverty also suggests that *even if* the sim cards were configured for minimal services, they’d still be considered worth stealing.

How the hell can each light cost $3,000 to repair? A new one shouldn’t cost that much. Even if the thieves were uneducated slobs that just tore everything apart it shouldn’t cost nearly that much or be much more difficult than slapping a new SIM in there.

“How the hell can each light cost $3,000 to repair? A new one shouldn’t cost that much. Even if the thieves were uneducated slobs that just tore everything apart it shouldn’t cost nearly that much or be much more difficult than slapping a new SIM in there.”

You clearly have no concept of how contracting with a government entity works.

What gets me is that its a simple point-and-click in the m2m cellular provider interface. Limit data to say, 3mb per month and if you get an overage alert that sim is suspect. Least that’s how it works on this side of the water.

Part 2 is, why can’t they poll the light and kill the sim if they don’t get correct responses?

I use these devices professionally as well, and our SIM cards will not make phone calls. They have data plans limited to 2, 5, 10 or 50 MB. We use Sierra Wireless Raven XT products, a small aluminum enclosed board that communicates RS-232 to TC/IP protocol – that is, they don’t make phone calls to transmit the data. They can have a small plastic “rubber ducky” antenna if they’re internal to a plastic enclosure and have good reception, otherwise I can also use a yagi or external mag-mount omni antenna with better gain.

I think it’s reckless that they used SIMs that would allow more features than necessary, but probably they have some kind of “pool” deal for all of their cellular equipment, including cell phones and data modems. My company has separate pool deals for data modems and cellular phones, for this reason probably.

@Jtaylor @wigwam GSM allows “local networks” at special prices. For example an company could set a local network for it’s employees. The employees are allowed to communicate with each other, but the other functions are limited or not available at all.
Under GSM an call is anonymous as much as provider allows it. GSM calls are traceable up to some extent. The problem occurs if there is too much untagged SIMs, or SIMs with same ID, too much bleeps on the screen…

As FaSMaB said it must be an criminal syndication or corruption at work. At $3,000 per unit (overpriced) and unlimited anonymous SIM inside (why), there is a lot of money to go around.

I’m guessing the boxes have to transmit once in awhile to say that they are still working. A non responding light might also indicate a problem and might show up more often then a specific error. I like dan fruzzetti’s idea of placing a speaker by it and waiting for a chirp.

So, I made this collection of info based off of some of the comments posted below the article… If you are lucky enough to be reading all these comments, and you must have been intrigutd by the article, no?

Basically, to perform this “hack/theif” all you need to do is:

A: Observe your local intersections, and look for both visual signs, and wireless spectrum signs of GSM signal communication in the area.

!!!!!WARNING UPON OPENING THE CABINETS/LIGHTS!!!!!!
Traffic lights/cabinets trigger silent alarms when you open them.

KEYWORDS I USED:
(Google is your friend here)
RS-232 to some form of GSM/CDMA-enabled Serial-over-IP
Metretek Invisconnect
embedded cellular modems
lights that have an antenna
Black or Grey block fixed to the controller box
GSM interference (217hz)
BOS-Funk (“public safety communication systems”)
the antenna is contained within the cabinet
traffic lights trigger silent alarms when you open them.
Sierra Wireless Raven XT

Once GSM sims have been obtained they probably will only work for DATA(does not mean phone calls won’t work, if your smart) They also only have a limited amount of data that can be used before they are depleated.(Thats what the south afican hit-men are using as burners which are only good for like A SINGLE PHONE CALL/TEXT)

THEY ARE ANONYMOUS(kinda…GSM can be traced but, fuck it, its one phone call, then phone thrown in a garbage truck…)

How to enable phone calls if you can only use data, use VOIP. I am not disclosing which VOIP to use but, suggesting something w/ extremely low bandwidth usage, and ability to be SSH tunneled, also suggesting encrypting text communication w/ Elite-ANONYMOUS SOCK5 proxy-chain, SUPER-SSH, and *encryption scheme here*package encryption.
This all made in a few delicious copypastas….

I just thought I’d mention that, almost all of the comments given thus far deal specifically with the device in question. Which is fine because that’s the main point of the question, and this is afterall, hackaday. However, no one is really making note that we are talking about Johannesburg, South Africa here. This isn’t across the street from the Nokia Headquarters in Tokyo, or by an engineering plaza in Munich. Johannesburg is photographed very well in Google Street View, have a look for yourself. The traffic lights do not look like the one in the photo. In a square in the main downtown part of Johannesburg a lot of the traffic lights have a ‘black bubble’ looking thing that sticks off of them at a 45degree arch. Other traffic lights don’t seem to have them.

Surely there is a method to the madness of which ones have and which ones do not have. Surely if the ‘thieves’ found one that had a S.I.M. card they could logically reason that within a radius of ‘x’ the other traffic lights should have them to.

Also, again, do you have any idea how much corruption and shoddy jobs happen within South Africa. They are not getting ‘traffic light technology’ from the top engineering firms in the world. No. Who knows where the technology came from and who exactly is putting this whole operation together. Maybe whoever was hired to put them in marked them for their own purposes. Maybe there’s a little mark on the devices which have them and which do not.

Anyhow, I think this particular question has more to do with South Africa (Johannesburg), and how they actually ‘installed’ the devices; and less to do with the technology in and of itself. I’m sure if any three of the readers above were to actually walk around Johannesburg, in six minutes they would be able to say “Oh. Wow. Yeah, I’ve figured it out now. That’s so obvious.”

I live in Johannesburg and I’ve got a set of these traffic lights outside my apartment block. The system was installed to notify a central operations centre built and managed by the city Municipality. The system is passive and intended to dial through to the the control room when a problem is detected in the normal opoeration of the traffic lights. An sms message is sent with location, time, a fault code, current status, etc. This system was installed to ease traffic congestion, improve safety and improve repair turnaround times. The problem is that the Johannesburg Municipality is has degraded to the the point of disfunction. There are no trained staff to repair these traffic lights, no working vehicles to get them there and even then, the national electricity generating authority (Eskom)cannot provide capacity to reliably operate the traffic lights were they to be fixed.